nebula

Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect computers anywhere in the world. Nebula is portable, and runs on Linux, OSX, and Windows. (Also: keep this quiet, but we have an early prototype running on iOS). It can be used to connect a small number of computers, but is also able to connect tens of thousands of computers.

This repository is a fork from https://github.com/buildsociety/nebula, all credits to them. The fork allows me build my own images and better control the build pipeline from a configuration and security perspective. I suggest you do the same if you use the image for critical applications.

Supported Architectures

The images support multiple architectures such as x86-64, arm64 and armhf. We utilise the docker manifest for multi-platform awareness. More information is available from docker here.

Simply pulling renehonig/nebula should retrieve the correct image for your arch.

Version Tags

This image provides various versions that are available via tags. latest tag usually provides the latest stable version. Others are considered under development and caution must be exercised when using them.

Tag	Description
latest	Stable Nebula Releases
edge	Latest Nebula Releases
v1.5.2	Nebula 1.2.0 Release

Usage

Here are some example snippets to help you get started creating a container.

docker

docker pull renehonig/nebula:latest

and

docker run -td --cap-add=NET_ADMIN --device=/dev/net/tun -v /path/to/config:/config --name nebula renehonig/nebula:latest

or as a privileged container:

docker run -td --privileged -v /path/to/config:/config --name nebula renehonig/nebula:latest

using docker-compose

version: "3"
  services:
    nebula:
        image: renehonig/nebula:latest
        container_name: nebula
        volumes:
          - '/path/to/config:/config'
        cap_add:
          - NET_ADMIN
        network_mode: "host"
        devices:
          - /dev/net/tun:/dev/net/tun

User documentation for Nebula can be found at https://github.com/slackhq/nebula#readme

Kubernetes Sidecar

For testing, you can use a ConfigMap, but for production it is better to use secrets.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: 'nebula-conf'
data:
  nebula.conf: |
    # You can insert your config.yaml here.
    # You can/need also insert certificates here,
    # as in the example below.
    pki:
      ca: |
        -----BEGIN NEBULA CERTIFICATE-----
        certificate data
        -----END NEBULA CERTIFICATE-----
      cert: |
        -----BEGIN NEBULA CERTIFICATE-----
        certificate data
        -----END NEBULA CERTIFICATE-----
      key: |
        -----BEGIN NEBULA X25519 PRIVATE KEY-----
        certificate data
        -----END NEBULA X25519 PRIVATE KEY-----
    # the rest of the config file.

and

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ...
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ...
  template:
    metadata:
      labels:
        app: ...
    spec:
      containers:
        - name: ...
        - name: nebula
          image: renehonig/nebula:v1.5.2
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
          volumeMounts:
            - mountPath: /config/config.yaml
              readOnly: true
              name: nebula-conf
            - mountPath: /dev/net/tun
              name: devnet
          args: ["-config", "/config/config.yaml" ] 
      volumes:
        - name: nebula-conf
          configMap:
            name: nebula-conf
            items:
              - key: nebula.conf
                path: config.yaml
        - name: devnet
          hostPath:
            path: /dev/net/tun

or as a privileged container:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ...
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ...
  template:
    metadata:
      labels:
        app: ...
    spec:
      containers:
        - name: ...
        - name: nebula
          image: renehonig/nebula:v1.5.2
          securityContext:
            privileged: true
          volumeMounts:
            - mountPath: /config/config.yaml
              readOnly: true
              name: nebula-conf
          args: ["-config", "/config/config.yaml" ] 
      volumes:
        - name: nebula-conf
          configMap:
            name: nebula-conf
            items:
              - key: nebula.conf
                path: config.yaml

Parameters

Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal> respectively. For example, -p 8080:80 would expose port 80 from inside the container to be accessible from the host's IP on port 8080 outside the container.

Parameter	Function
-v /config	Nebula configuration directory.

Support Info

• Shell access whilst the container is running: docker exec -it nebula /bin/sh
• To monitor the logs of the container in realtime: docker logs -f nebula
• container version number
  • docker inspect -f '{{ index .Config.Labels "build_version" }}' nebula
• image version number
  • docker inspect -f '{{ index .Config.Labels "build_version" }}' renehonig/nebula

Updating Info

Most of our images are static, versioned, and require an image update and container recreation to update the app inside. We do not recommend or support updating apps inside the container.

An automated process for upgrading your container is available via containrrr/watchtower.

Licence

By using this image, you agree to the Nebula licence